2026-07-17
An MCP server is not a passive library. Once your agent connects to it, the server can be handed your files, your credentials, and the ability to call other tools on your behalf. A bad one is a direct line to your data. Here is a practical way to decide whether to trust one before you connect it.
Check the tools it exposes and the permissions or environment variables it wants. A weather server that asks for filesystem access or your shell is a mismatch. The stated purpose should match the capability it requests.
Prefer the server from the vendor whose API it wraps, or a well-known maintainer, over a random re-publish. Check the npm publish history and the linked repository. One publish, no repo, and a brand-new account is worth more scrutiny.
Do not install a floating latest. Pin a specific version so an update cannot silently change behavior after you have vetted it, and diff the change when you do update.
A server's package is small, so it is worth actually looking at. What matters: does it read credential files or secrets it has no reason to touch, does it send data to a hardcoded host, does it run code fetched at runtime, does it ship an install script. You can do this by hand, or point a scanner at it.
Give it only the scope it needs. If it only needs to read, do not grant write. If it does not need the network, sandbox it.
Lazaretto does step 4 for you: point it at a server's package and it fetches the code
without running it and returns a verdict with evidence. There are pre-scanned pages for
popular servers, a free browser scan, and Lazaretto is
itself a remote MCP server your agent can call to check a tool before it installs it.
A clear result means nothing matched: a signal, not a warranty.
Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.